RubySec

Providing security resources for the Ruby community

CVE-2026-45330 (decidim-verifications): Decidim - Verification admins can access supplied IDs from other organizations

Decidim - Verification admins can access supplied IDs from other organizations

Published: July 13, 2026

SECURITY IDENTIFIERS

GEM

decidim-verifications

SEVERITY

CVSS v3.x: 4.9 (Medium)

PATCHED VERSIONS

~> 0.30.9 ~> 0.31.5 >= 0.32.0

DESCRIPTION

Description

The verification admin mutation flow allows accessing, verifying, and rejecting participants records from another tenant.

Impact

A tenant admin can access, reject or approve another tenant's id_documents requests.

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

RELATED